CVE-2021-46597
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on Bentley MicroStation CONNECT installations by tricking users into opening malicious JT files. The flaw exists in JT file parsing where the software fails to validate object existence before operations, leading to use-after-free conditions. Affected users are those running vulnerable versions of Bentley MicroStation CONNECT.
💻 Affected Systems
- Bentley MicroStation CONNECT
📦 What is this software?
View by Bentley
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining the same privileges as the current user, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Local privilege escalation or arbitrary code execution within the context of the MicroStation process, potentially allowing file system access and further exploitation.
If Mitigated
Limited impact if proper application sandboxing, least privilege principles, and network segmentation are implemented, though data loss or local compromise may still occur.
🎯 Exploit Status
Exploitation requires user interaction but has been assigned a ZDI identifier (ZDI-CAN-15391) suggesting active research interest.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to version 10.16.1.0 or later
Vendor Advisory: https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0005
Restart Required: Yes
Instructions:
1. Download latest MicroStation CONNECT update from Bentley Systems. 2. Run installer with administrative privileges. 3. Restart system after installation completes.
🔧 Temporary Workarounds
Disable JT file association
windowsRemove JT file type association with MicroStation to prevent automatic opening
Control Panel > Default Programs > Associate a file type or protocol with a program > Select .jt > Change program > Choose different application
Application control policy
windowsImplement application whitelisting to block execution of untrusted JT files
🧯 If You Can't Patch
- Implement strict network segmentation to isolate MicroStation systems
- Apply principle of least privilege to user accounts running MicroStation
🔍 How to Verify
Check if Vulnerable:
Check MicroStation version via Help > About menu or examine installed programs in Control PanelCheck Version:
wmic product where name="MicroStation CONNECT" get versionVerify Fix Applied:
Verify version is 10.16.1.0 or later in Help > About menu📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from MicroStation executable
- Multiple failed JT file parsing attempts
- Abnormal memory access patterns in application logs
Network Indicators:
- Unexpected outbound connections from MicroStation process
- JT file downloads from untrusted sources
SIEM Query:
process_name:"ustation.exe" AND (event_type:"process_creation" OR event_type:"file_access") AND file_extension:".jt"